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This paper proposes a type-and-effect system called T*^''^, which distinguishes terminating terms 
and total functions from possibly diverging terms and partial functions, for a lambda calculus with 
general recursion and equality types. The central idea is to include a primitive type-form "Terminates 
t", expressing that term t is terminating; and then allow terms t to be coerced from possibly diverging 
to total, using a proof of Terminates t. We call such coercions termination casts, and show how 
to implement terminating recursion using them. For the meta-theory of the system, we describe a 
translation from T^'^^ to a logical theory of termination for general recursive, simply typed functions. 
Every typing judgment of 1^"^^ is translated to a theorem expressing the appropriate termination 
property of the computational part of the T^^-'^ term. 

1 Introduction 

Soundly combining general recursion and dependent types is a significant current challenge in the design 
of dependently typed programming languages. The two main difficulties raised by this combination are 
(1) type-equivalence checking with dependent types usually depends on term reduction, which may fail 
to terminate in the presence of general recursion; and (2) under the CuiTy-Howard isomorphism, non- 
terminating recursions are interpreted as unsound inductive proofs, and hence we lose soundness of the 
type system as a logic. 

Problem (1) can be addressed simply by bounding the number of steps of reduction that can be 
performed in a single conversion. This solution may seem ad hoc, but it is less problematic if one works, 
as we do here, with a primitive notion of propositional equality, and no automatic conversion. Explicit 
casts with equality proofs are used to change the types of terms, and so with a bound on the number 
of reduction steps allowed, one may simply chain together a sequence of conversions to accommodate 
long-running terms in types. There are certainly some issues to be addressed in making such a solution 
workable in practice, but it is not a fundamental problem. 

Problem (2), on the other hand, cannot be so easily dealt with, since we must truly know that a 
recursive function is total if we are to view it soundly as an inductive proof. One well-known approach 
to this problem was proposed by Capretta [7]: extend a terminating type theory (that is, one for which 
we have a sound static analysis for totality, which we use to require all functions to be total) with general 
recursion via coinductive types. Corecursion is used to model general-recursive functions, without losing 
logical soundness: productive corecursive functions correspond to sound coinductive arguments. The 
type constructor (•)^ for possibly diverging computations, together with natural operations on it, is shown 
to form a monad. 

A separate problem related to (2) is extending the flexibility of totality checking for total type the- 
ories. It is well-known that structural termination can become awkward for some functions like, for 
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example, natural-number division, where a recursive call must be made on the result of another function 
call. For this situation, methods like type-based termination have been proposed: see Barthe et al. U 
and several subsequent works by those authors; also, Abel IB- The idea in type-based termination is, 
roughly, to associate sizes with data, and track sizes statically across function calls. Recursive calls 
must be on data with smaller size. This method certainly increases the range of functions judged total 
in their natural presentation. No static termination analysis will be complete, so there will always be 
programs that type-based termination cannot judge terminating. When such analyses fail, programmers 
must rewrite their code so that its termination behavior is more apparent to the analysis. What is required 
is a flexible method for such explicit termination arguments. 

This paper's contribution This paper proposes a system called T'^'^^ that can be seen as building on 
both these lines of work. We develop a type-and-effect system where the effect distinguishes total from 
possibly partial terms. The type assignment judgment r\- t -.T 6 includes a termination effect 6, which 
can be either | (called "total"), for terms that are known to terminate, or ? (called "general"), for terms 
whose termination behavior is unknown. 

We can view this approach as building, at least in spirit, on Capretta's approach with the pai^- 
tiality monad, thanks to the close connection between monads and effects, as shown by Wadler and 
Thiemann ||T9l . Of course, there are important differences between the monadic and effectful ap- 
proaches, most notably that effects are hard-wired into the language definition, while monads are usually 
programmer-defined. We adopt the effectful approach here, since we are particularly focused on these 
two kinds of computation, terminating and possibly partial, as fundamental. We thus deem them appro- 
priate for hard-wiring into the language itself. Exploring the tradeoffs more deeply between these two 
approaches must remain to future work. 

Importantly, T'^^-'- provides a flexible approach to termination because the judgment of totality, 
r\- t :T I, is internalized into the type system. The type Terminates t expresses termination of term t. 
The effect of a term can thus be changed from possibly partial to total by casting the term t with a proof 
of Terminates t. These termination casts change the type checker's view of the termination behavior 
of a term, much as a (sound) type cast changes its view of the type of the term. Termination casts are 
used with the terminating recursion operator: the body of the putatively terminating recursive function is 
type-checked under the additional explicit assumption that calls with a structurally smaller argument are 
terminating. 

By reifying this basic view of structural termination as an explicit typing assumption, we follow 
the spirit of type-based termination: our method eliminates the need for a separate structural check 
(proposed as an important motivation for type-based termination lH), and gives the programmer even 
more flexibility in the kind of functions s/he can write. This is because instead of relying on a static 
analysis to track sizes of datatypes, our approach allows the user (or an automated reasoning system) 
to perform arbitrarily complex reasoning to show termination of the function. This reasoning can be 
internal, using termination casts, or completely external: one can write a general-recursive function that 
the type checker can only judge to be possibly partial, and later prove a theorem explicitly showing that 
the function is terminating. Of course, one could also wish to support what we would see as a hybrid 
approach, in the style of the PROGRAM tactic in Coq |[T6l . but this is outside the scope of the present 
paper. 

Outline of the development In Section |2l we first present the syntax, reduction rules and type as- 
signment system for T'^'^^. Because type assignment is not algorithmic for T'^'^^, we also develop an 
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effects d,p 
types T 
terms t 



:= il? 

:= nat I U^x.T.T' \ t = t' \ Terminates t 

:= X I Xx.t \ tt' \ Q \ Sue? 



Ytcf{x) = t I case 1 1' t' 



values 



V 



I join I terminates | contra | abort 
:= ;t I I Sucv | Xx.t \ recf{x) = t 



contexts ^ 



I join I terminates | contra 

:= [] I Suc<r \ '^t \ v'^ \ case^f? 



Figure 1: Syntax of T^'^^ 



annotated version of T^'^^ suitable for implementation, where terms are annotated to enable algorithmic 
type checking. We follow this explanation with a number of examples of the use of termination casts, in 
Section[3l Next, in Section|4]we develop our central meta-theoretic result, based on a translation of T'^^^ 
typing judgments to judgments about termination of the term in question, formulated in a first-order logi- 
cal theory of general-recursive functions (called W'). This system is similar in spirit to Feferman's theory 
W (see Chapter 13 of liTOl ). although with significant syntactic differences, and support for hypothetical 
reasoning about termination. We show that T^^^ is sound with respect to this translation. Also, we find 
that constructive reasoning suffices for soundness of the translation, so we take W' to be intuitionistic 
(whereas an important characteristic of W is that its logic is classical). 



The language 1^'^^ is a simple language with natural numbers and dependently-typed recursive functions. 
The syntax of types T and terms t appears in Figured] The variable x is bound in t in the term Xx.t and in 
T' in the type Yl^x.T.T'. As explained below, 6 for IT-types represents the latent effect of the function's 
computation (it does not describe the input argument). The variables / and x are bound in t in the term 
rec/(;c) = t. We use the notation [t' /x]T and [t' /x]t to denote the capture-avoiding substitution of t' 
for X in types and terms respectively. 

We deliberately omit from T^'^-'- many important type-theoretic features which we believe to be or- 
thogonal to the central ideas explored here. A full-fledged type theory based on these ideas would include 
user-defined inductive types, type polymorphism, perhaps a universe hierarchy, large eliminations, im- 
plicit products, and so forth. Some of these features, in particular large eliminations, raise serious tech- 
nical challenges for this approach (and many others). For this paper we develop the core ideas needed 
for distinguishing total and possibly partial computations with our effect system and using termination 
casts to internalize termination, leaving other problems to future work. 

2.1 Operational semantics 

Reduction for T^'^^ is defined as a call-by-value small-step operational semantics. Figure [T] presents the 
syntax of values and evaluation contexts and Figure |2] contains the two judgments that make up this 
semantics. Values in T^''^ include variables, natural numbers, functions and primitive proof terms for the 
internalized judgments of equality and termination. 

We define the reduction rules with two relations: the primitive p mles, written t -^p t' describe 
reduction when a value is in an active position. This relation is used by the main reduction relation 
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t t' 



{Xx.t)v -^p [v /x]t 



Beta_AppAbs 



t -^p f 



Red.Ctxt 



case t f t 



Beta.CaseZero 



Red_Abort 



abort] --^ abort 



case (Sucv) 1 1' -^p t'v 



Beta.CaseSuc 



(rec/(x)=Ov [v/x][rec/(x) = ?//]? 



Beta.AppRec 



Figure 2: Call-by- value small-step operational semantics 



t t' , which lifts beta reduction through evaluation contexts ^ and terminates computation for abort, 
representing finite failure. Other proof forms, including contra, are considered values. We cannot, in 
fact, obtain a contradiction in the empty context (assuming our theory W' is consistent), but at this point 
in the development that cannot be shown. 

2.2 Type assignment 

Figure |3] defines the type-assignment system. The judgment T \- t : T 6 states that the term t can be 
assigned type T in the context T with effect 6. (The other two judgments, T h Ok and F h T, are used 
by this one to check that contexts and types are well formed.) We define the system such that Q is an 
approximation of the termination behavior of the system. If we can derive a judgment Y\- t -.T 4-, then 
this means that for any assignment of values to the variables in F, reduction of t must terminate. (If 
the context is inconsistent, t might not terminate even if the type system judges it to do so, since an 
inconsistent context can make unsatisfiable assertions about termination, which may pollute the type 
system's judgments.) In contrast, the judgment F h ? : T ? places no restrictions on the termination 
behavior of t. We view is as a capability on termination behavior |j9|. A term with capability ? is 
allowed to diverge, but terms with capability J, cannot. As a result, any term that typechecks with J, will 
also typecheck with ?. Thus ? is more permissive than |, and we order them as | < ?. 

Such reasoning is reflected in the type system. T^'^-'- has a call-by-value operational semantics, so 
variables stand for values. Therefore, a variable is known to terminate, so we can type variables with any 
effect in rule T_Var. This pattern occurs often; all terms that are known to terminate have unconstrained 
effects in the conclusion of their typing rules. In this way, we build subeffecting into the type system and 
do not need an additional rule to coerce total terms to general ones. Because of this subeffecting, when 
a premise of a rule uses the general effect, such as K_Eq, it places no restriction on the term. 

As is standard in type-and-effect systems, function types ai^e annotated with a latent effect. This effect 
records the termination effect for the body of the function, in rule T_Abs. Likewise, in an application 
(rule T_App), the latent effect of the function must be equal or less than the current termination effect. 
Note that, although the system supports subeffecting, it does not support subtyping. In an application, 
the type of the ai^gument must exactly match that expected by the function. Although there is a natural 
extension of subeffecting to subtyping, for simplicity we have not included it in this system. 

■jeq-l types include two propositions. The type t = t' states that two terms ai^e equal and the type 
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rh r 



r h Ok 



-k_Nat 



rhnat 

rh?:r? rhf':r'? 



K_Pl 



-k_Eq 



r,x:T\-r 
rh?:r? 

r h Terminates t 



-k_Term 



r h Ok 



h Ok 



Ok_empty 



r h Ok r h r 



-Ok.cons 



Vrt-.T d 



rh?:r? rhf':r'? 

TJOIN 

rhjoin u = t' d 

rhf.T i 

r h terminates : Terminates t 6 
r h f : Terminates 'rf[t']d 



r\-t:[t2/x]T e 

rht':ti = t2 i rh [?i /x]T 
rht:[ti/x]T e 



T.CONV 



-T_Reify 



r h f : Terminates t' 6 

r,x : r\-t:T p rhUPx-.T'.T 
Xx.f.UPx-.T'.T d 

r h Ok 

-T_Zero 



T.CtxTerm 



rhf : r? 

r\- t' : Terminates t | 

TFTTTe 
r{x) = T r h Ok 



T_Reflect 



T_Var 



-T_Abs 



rhx-.T d 

r^f.uPx-.r.T d rht'-.T'd p<e 



T^tt' -.[f /x]T d 



T_App 



T.CONTRA 



r h : nat 

rhf:0 = Sue?' i 
r h contra : T 6 

r,f : n-x:T'.T,x -.T'hf.Tl 
Yhrtcf{x)=t:Wx:T'.Td 



r h f : nat 
rhSucf : nat d 

r h Ok 



T_SUC 



r h abort : r ? 



-T_Abort 



T_Rec 



rh?:nat0 t' :[() / x]T d 

t" -.UPx' -.nsA-l^ucx' / x]T d p <d 
rhcase??' t": [t/x]T 6 



T.Case 



p f\t 

r,f : Tfx.nat.T ,x : nat,p : n^:ti :nat.nV:^ = Sucri .Terminates {fxi )\-t:T J, 

r h rec/(x) = t : : nat.r d 

Figure 3: Type assignment system 
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Terminates t declares that term t is terminating. The introduction form for the equality proposition 
(rule T_J0IN) requires both terms to be well typed and evaluate to a common reduct. For flexibility, 
these terms need not be judged terminating nor have the same type. The elimination form (T_CONV) 
uses a total proof of equality to convert between equivalent types. Likewise, the introduction form for 
the Terminates t proposition (T_Reify) requires showing that the term terminates. Analogously, the 
elimination form (T_Reflect) uses a total proof of termination to change the effect of t. T*^'^^ also 
internalizes an admissible property of the judgment with the empty context — if a term terminates, then 
the subterm in the active position of the term terminates (T_CtxTerm). This property does not (appear 
to) follow constructively from the others. 

Recursive functions can be typed with either general or total latent effects. In the latter case, the 
T_RecNat rule introduces a new hypothesis into the context that may be used to show that the body of 
the function is total. The assumption p : IT^xi : nat.IT-'-p' : x = Sucxi .Terminates {f x\ ) is an assertion 
that for any number xi that is one less than x, the recursive call (/xi ) terminates. Even though the type 
off has a ? latent effect, recursive calls on the immediate predecessor can be cast to be total using this 
assumption. 

The rule T_RecNat includes a restriction that p ^ (\t. This means that the only places that p can 
occur in a typing derivation is in the proof-premises of T_CONV, T_Reflect, and T_CONTRA. The 
advantage of setting up the system this way is that we can define the operational semantics without any 
reference to proofs: the rule Beta_AppRec does not have to specify a proof term to substitute for free 
occuiTcnces of p in t. In other words the T_RecNat rule bakes in a form of proof erasure |[T2l [3l[Tn. 

We may worry that this restriction limits the expressiveness of the language because the variable p 
can not be used in every context. However, that is not the case as our system satisfies a form of proof 
irrelevance. No matter what proof we have of termination, we can always use the rules T_Reify and 
T_Reflect to replace it by the (computationally) uninformative proof terminates. We give an example 
of this behavior in the next section. Thus, we do not lose anything by making the proof variable p 
second-class, since we can always replace it with a proof that does not mention p. (Likewise, equality 
proofs are irrelevant, as we can use T_J0IN followed by T_CONV to show that r\- u : t = t' J, implies 
F h join -.1 = 1' |.) 

2.3 Annotated language 

The previous two subsections provide a complete specification of the T^'^-'- language. However, in T'^'^-'', 
type inference is not algorithmic. Given a context F, a term t and effect 0, it is not clear how to determine 
if there is some T such that Fh t : T 6 holds. The terms do not contain enough information to indicate 
how to construct a typing derivation. 

Fortunately, it is straightforward to produce an annotated version of T*^'^^ where the type checking 
algorithm is fully determined. Below we give the syntax of the annotated terms. The full typing rules for 
the annotated system appear in Figure |6] The judgment form is F Ih a : S 0, where algorithmically, F, a, 
and 6 are inputs to the type checker and type S is the output. 

Most annotated term forms have direct coiTcspondence to the unannotated terms. Figure [5] defines 
the operation | • | that erases annotations. Notably, there are two different forms of recursion, based 
on which typing rule should be used. Furthermore, the syntax includes terms (conv x.S a' a, inv a a', 
and reflect a a') that mark where type conversions, termination inversions and termination casts should 
occur — these are implicit in the unannotated system. 

The annotated system uses types 5 that are exactly like types T except that they contain annotated 
terms. However, because there is no operational semantics defined for annotated terms, the join rule 
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annot. types S ::= nat | n^;^:^.^' \ a = a' \ Terminates a 

annot. terms a ::= x \ aa' \ X^xS.a \ | Suca 

I reCnat /(-^ = fl' I rec /(x5): 5" = fl | casex.Saa' a' 

I join a a' \ conv x.S a' a \ terminates a \ reflect a a' 

I inv a a' \ contra S a \ abort S 

Figure 4: Syntax of annotated T^'^-'- 



Terms 

\x\ 

I aa' I 

I X^xS.a I 

|0| 

I Sucfl I 

I case x.S a a' a" \ 
|rec„at/(xp):5' = a| 
|rec f{xS):S' = a\ 



Types 
I nat I 

\U^x:S.S'\ 

\a = a' \ 

I Terminates a I 



X 

I a 1 1 a' I 
A;c. I a I 


Sue I a I 
case I a \ 
recf{x) 
rec/(;c) 



\a'\ \a" 
= \a\ 
= I a I 



nat 

U^x:\S\.\S'\ 
\a \ = \a' \ 
Terminates I a I 



jom a a \ 
terminates a \ 
contra S a \ 
abort 5 1 
conv x.S a a' \ 
reflect a a' \ 
inv a a' I 



jom 

terminates 

contra 

abort 

I I 
I ^ I 
I a I 



Figure 5: Annotation erasure 
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rih5 



rihok 

r l(- nat 



-S_Nat 



rih5 r,x:5lh5' 

n^n^x-.s.s' 



-S_Pi 



riha:5? rih£?':5'? 

rih5 rih5' 



r Ih a = a' 



-S_EQ 



riha:5? 



r Ih Terminates a 



-S.Term 



rihok 



IhOk 



Oka_empty 



rihok rih5 

r,x : 5lhOk 



-Oka_cons 



r\^a:se 



-A_JOIN 



riha:5? rih£?':5'? 
r Ih join a a' -.a = a' 6 

r Ih terminates a : Terminates a 6 



-A_Reify 



riha : [aj/xjS d 
r \\- a' : ai = a2 i F \\- [ai / x]S 
r Ih conv x.S a a' : [ai /x] S 6 

r\\- a: S 7 r Ih a' : Terminates a \. 
r Ih reflect aa' :S 



A_CONV 



A_Reflect 



r Ih a : Terminates a" 6 

\a"\ = "^[WW 
r Ih Inv a a' : Terminates a' 6 

r,x : S'\ha:S p FlhUPx-.S'.S 

ipxs'.a-.upx-.s'.s e 
rihok 

— — — A_Zero 

r Ih : nat 

r Ih a : = Suca' I 



A.CtxTerm 



■A_Abs 



A_Var 



r(x) = T rihOk 

rihx:50 

n^a-.UPx-.S'.S d riha':5'0 p<d 
n^aa' : [a' /x]Sd 

r h £? : nat d 

A_Suc 



A_App 



rihcontra^a :5 e 



A.CONTRA 



r Ih Suca : nat 6 

r ihok 

rihabortS:5? 



-A_Abort 



r,/ : n-x:S'.S,x : S'\ha:Sl 
r Ih rec f{x.S'): S = a: Wx.S'.S d 



A_Rec 



riha:nate T Ih a' : [0/x] 5 
rih a" : UPx' : nat. [ Sucx' /x]S 6 
P < 6 

r Ih case x.S a a' a" : [a/x]S 6 



A_Case 



p fva 

r,/ : n^x:nat.S,x : nat,;? : n^xiinat.n^y 



X = Sucxi .Terminates (/xi ) Ih a : 5 4- 



r Ih recnat p): S = a : H^x.nat.S d 

Figure 6: Annotated type checking system 
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(shown below) first erases the annotations before determining if there is some common reduct. Likewise, 
the inversion rule uses erasure to find the evaluation context. 

Simple comparison of the typing rules of the two systems in a straightforward inductive proof shows 
that the annotated system is sound and complete with respect to the implicit system. 

Proposition 1 (Soundness of annotated system) IfFW- a: S 6 then F h | a | : j S | 0. 

Proposition 2 (Completeness of annotated system) IfF \- f.T d then there exists an a and S, such that 
\a\ = t and \ S\ =T and T\\- a : S 6. 

Note that although type inference is syntax-directed, it is only decidable in the annotated system 
if there is some cut-off in normalization in the join rule. Even if we were to require a and a' to have 
the total effect in this rule, this restriction would not ensure decidability. An inconsistent context could 
type a looping term with a total effect. It would be reasonable to make the cutoff part of the annotated 
join-term itself, although here we use a global cut-off. Note that imposing a cutoff in the join rule in 
the annotated system does not jeopardize completeness as a single join in the implicit system can be 
translated to several joins in the annotated system. 

Finally, we are not considering the problem of annotation inference for this system. This is an 
important problem to ease the burden of programming with termination casts. We conjecture that in many 
simple cases like structural decrease of a single parameter to the function, the appropriate termination 
casts can be added completely automatically. But working this process out is beyond the scope of this 
paper. 

3 Examples 

Natural number addition: internal verification Our first example shows how simple structurally re- 
cursive functions can be shown terminating at their definition time using the T_RecNat rule. We define 
natural number addition with the following term, showing first its implicit then annotated versions: 

def 

implicit plus = A;t2 .rec/(xi) = (case xi {Xq.X2) {^x' .Xq. Sue {f x'))) join 

annotated plus =^ A^X2:nat. recnat / (■'^i p)'- nat = 
(case x.(n~'-^:xi =x.nat)xi 
{X^q.xi = O.X2) 

(/lV:nat.A^^xi = Sucx'. Suc(reflect {fx') {px' q)))) 
(join xi xi ) 

In this example, we must abstract over equality types that are then applied to join. This standard trick, 
used frequently in COQ and similar dependent type theories, introduces different assumptions of equal- 
ities into the context, depending on the case branch. As remarked above, we have deliberately omitted 
from T'^'^^ a number of features that would improve some of these examples, notably implicit products 
(as proposed by Miquel fV\\ ) for equality proofs in case-terms. 

The typing rules verify that plus is a total operation. For example, in the annotated system we can 
show: 

• Ih plus : n^xi :nat.n^X2 :nat.nat | 

To see why this is so, consider the context that we use to type check the body of the recursive function: 

F='xi : nat,X2 : nat,/ : IT-xi :nat.nat, p : Yl^x' .nsA.Yl^q.xx = Sucx'. Terminates (/x'), • 



Stump, Sjoberg, and Weirich 



85 



In this context, we would like to show that the case expression has type {Yl^q-.xi = ;ci.nat). Note that 
the abstraction of q must be J, so that when we apply the case expression to join the entire expression 
will have the J, effect. In the zero case, we use rules TA_Abs and TA_Var to show that the abstraction 
has the desired total function type. 

In the successor case, we use a termination cast to show that the recursive call is total. Without this 
cast, we would be unable to use the latent effect J, in the abstraction of q. Using the rules for variables 
and application we can show that the recursive call has a general effect, but by itself, this will not let us 
define a total function. 

r, y : nat, q : xi = Sucx' Ih fx' : nat ? 

However, given the extra argument from recursive function, we can produce a proof that the recursive 
call terminates. 

r,x' : nat, q : xi = Sucx Ih px q : Terminates (fx) \. 

From these two, we can use a termination cast to change the effect of the recursive call. 

r,x' : nat, q : xi = Sucx' Ih reflect (fx) {px q) : nat i 

Finally, we can use the rules for successor and abstraction to conclude that the successor case has the 
desired type. 

Natural number addition: external verification An advantage of this system is that we do not need 
to prove that plus is total when we define it. We could also define plus using general recursion: 

def 

plus = Xx2.recf{xi) = case x^ X2 ( Az. Suc(/z) ) 

But note, the best typing derivation will assign a ? latent effect to this function. (For brevity, this and 
further examples will be presented in the implicit language.) 

• h plus : n^X2 inat.Il'jci :nat.nat | 

However, all is not lost. We can still prove the following theorem and use it in a termination cast to show 
that a particular application of plus terminates. The proof term (below) uses recursion to construct a total 
witness for this theorem. 

plustotal : Yl^X2'.naiIl^x\\nai!Tcr\mnalcs {plusxjxi) 

def 

plustotal = Xx2.{ Yccf{xi ) = ( case x\ {Xq. terminates ) {Xz.Xq. terminates ) ) join ) 

To understand this proof term, we look at the typing derivation in each branch of the case term. Let Y be 
the context that rule T_RecNat uses to check the body of the recursive definition, shown below. 

def , 

Y = X2 : nat, 

x\ nat, 

/ : n-z: nat. Terminates {plusx2z), 

p : Yl^z. nat. Yl^q:x\ = Sucz.Terminates (fz) 

Then in the zero case, because plus X2O evaluates to X2 and variables terminate, we can use rule T_CONV 
to show that case total. 

r , ^ : xi = h X2 : nat I : 



Y ,q : xi = h terminates : Terminates X2 i F h join : plus X2O = X2 i 
Y ,q : xi = h terminates : Terminates {plus X2O) i 
r h A ^ . terminates -.YL^q-.xi = 0. Terminates {plus X2O) i 
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For the successor case, we need to make a recursive call to the theorem to show that the recursive call to 
the function terminates. Below, let F' be the extended environment F, z : nat, q : x\ = Suez and (*) be 
the derivation of F' h join : plusx2 (Suez) = Suc{plusx2z) i- Then, the derivation looks like: 



T' \- plusxiZ'.nsAl F' h/z : Terminates {plusx2z) i 
F' h plusxjz '■ nat i 
F' h Sue {plusx2z) ■ nat | 
F' h terminates : Terminates (Sue (7?/m5':ic2z) ) 4- (*) 
F' h terminates : Terminates {plus X2 (Suez)) i 

First-class termination proofs Recursive functions can also call helper functions in their definitions, 
passing off the recursive term and a proof that the recursive call will terminate. For example, suppose 
there is some function h that takes an argument, a (general) function to call on that argument, and a proof 
that the call terminates. 

h : Tl^x : nat.n^/ : Tfx : nat.nat.n^/j : Terminates {fx ) .nat 

For example, h may just apply / to ;c and use a termination cast to show the effect total. We can use h 
in the definition of a total recursive function, even if we do not know its definition. (Let F be a context 
which contains the above binding for h.) 

r \- rtcf{x) = {case X {Xq .0) (Az. A^./jz/terminates))join : n-'':t:nat.nat | 

Note that in this example, we use terminates as the proof that/z terminates. Although T_RecNat 
introduces the variable p, of type n-''z:nat.n-'^^:z = Sucz-Terminates (/z), we cannot pass pzq as the 
termination proof to h because p cannot be mentioned in the term. However, the proof term terminates 
works instead, as shown by the following derivation. (Let F' be the context in the successor case, i.e. F 
extended with bindings for x,f, p, z and q.) 



r' h pzq ■ Terminates (/z) i F' h/z : nat ? 

T_Reflect 

F' h/z : nat i 

T_Reify 

F' h terminates : Terminates (/z) i 

Natural number division Finally, we demonstrate a function that requires a course-of- values argument 
to show termination: natural number division. The general problem is that division calls itself recursively 
on a number that is smaller, but is not the direct predecessor of the argument. To show that this function 
terminates, we do structural recursion on an upper bound of the dividend instead of the dividend itself. 
(Note that we could also define division as a possibly partial function, without this extra upper-bound 
argument, and separately write a proof that states that division is a total function.) The type we use for 
division is: 

div : Yl^z-nat.H^x-.nat.Yl^x' ■.nat.Tl^u:{ltex x) = true. nat 
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where z is the divisor, x' is the dividend, x is an upper bound of the dividend, and Ite is a function that 
determines if the first number is "less-than-or-equal" the second. We have been parsimonious in omitting 
a boolean type, so we use and SucO for false and true, respectively in the result of Ite. Therefore, we 
define 

Ite = rec/(x) = Xu. case x ( SucO ) (Ax'. case u {fx ) ) 

and show 

■\- Ite : n'x:nat.nV:nat.nat J, 

Note that we are considering Ite as a possibly partial function; nothing is harmed by not requiring it to be 
total. We also define cut-off subtraction as a total function minus of type n^x:nat.n^x' :nat.nat (details 
omitted). The code for division is then: 

div = Az.((casez 

{Xq.Xx.Xx' .Xu.O) 

{Xz' .Xq.rec f{x) = Ax' . A w. ( (case {lte{Sucx)z) t\ (Az".A^'.0))join))) 
join) 

We handle the case of division by up front, obtaining an assumption q: z = Suez' when the divisor is 
not zero. Next, we case split on whether or not the bound x is strictly less than z; that is, Zte (Sucx)z. If 
so, we use the term A z" • A <?' . of type 

nV':nat.nV:'f^'(Sucx)z = (Sucz").nat 

Then the quotient is 0. If not, we use the term ?i, of type Il^q' : (Zte (Sucx)z = 0).nat, which is (with ?2 
discussed below): 

ti = Xq' . {Sue (f {predx) (minus X z.)t2)) 

In this case, we are decreasing our bound on the dividend by one, and then using a termination cast to 
show that/ {predx ) is terminating. Here, we define pred as just A x . case x A x' . x'. Of course, since this 
is the implicit language, the termination cast does not appear in the term itself. To apply the termination 
cast, we must use the implicit assumption p telling us that / terminates on the predecessor of x. We can 
prove that case x Ax' .x' is the predecessor of x in this case, because the assumptions q: z = (Suez' ) 
and q' : Zfe (Sucx)z = false show that x is non-zero: Intuitively, q' implies that x is greater than or equal 
to z, which we know is non-zero by q. The term t2 is a proof that minus x' z is less than or equal to the 
predecessor of the bound, case x Ax' .x'. In fact, join will serve for tj because the desired equation is 
provable from the assumptions. 

4 A Logical Semantics for T®''^ 

In this section, we give a semantics for T'^^-'- in terms of a simple constructive logic called W' . This 
semantics informs our design of T'^'^-'- and can potentially be used as part of a consistency proof for t'^'^-'-. 
The theory W' is reminiscent of Feferman's theory W (see, for example. Chapter 13 of |[TOl ). W is a 
classical second-order theory of general-recursive functions, classified by class terms which con^espond 
to simple types. W supports quantification over class terms, and quantification over defined individual 
terms. It is defined in Beeson's Logic of Partial Terms, a logic designed for reasoning about definedness 
in the presence of partial functions HI. W includes a relatively weak form of natural-number induction. 
Indeed, W is conservative over Peano Arithmetic. 
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A ::= nat \ A^A' 

F ::= True | Vx:A.F \ F ^ F' \ FAF' \ Terminates t \ t = t' 
I ::= - I I.,x : A 
//::=•! H,F 

Figure 7: Simple types, formulas, typing contexts, and assumption contexts of W' 
4.1 The theory W' 

Figure |7] gives the syntax for sorts A (which are just simple types) and formulas F for the theory W'; as 
well as typing contexts £ and contexts H for logical assumptions. Terms t are just as for (implicit) T^'^^, 
except without contra, terminates, and join. Figure [8] gives the proof rules for the theory W'. The form 
of judgments isL; H \- F. This expresses that formula F holds under the assumed formulas in //. £ is a 
typing context declaring free term-level variables occurring in H and F. 

W' is similar- in spirit to Feferman's W, but differs in a number of details. First, IV is a two-sorted 
theory: there is a sort for individual terms, and one for class terms. To express that term t is in class C, 
theory W uses an atomic formula ? € C. Our theory W', in contrast, is a multi-sorted first-order logic, 
with one sort for every simple type. So W' does not make use of a predicate symbol to express that a term 
has a sort. We only insist that terms are well-sorted when instantiating quantifiers. This is apparent in the 
rule Pv_Alle, which depends on a simple typing judgment for W'. The rules for this typing judgment 
may be found in the companion technical report lITSl . Well-formedness of equations does not require 
well-sortedness of the terms in W' (as also in W). Also, we have no reason at the moment to include 
non-constructive reasoning in W', so we define it using principles of intuitionistic logic only. 

A few more words on the proof principles of W' aie wan^anted. The Pv_OpSem equates terms t and 
t' iff t t' . Thanks to the Pv_SuBST rule, symmetry and transitivity of equality can be derived in a 
standard way. We do not require quantifiers to be instantiated by only terminating terms. This means that 
for induction principles, we must state explicitly that the terms in question are terminating. We include a 
principle Pv_COMPlND of computational induction, on the structure of a terminating computation. That 
is, if we know that an application of a recursive function is terminating, we can prove a property of such 
an application by assuming it is true for recursive calls, and showing it is true for an outer arbitrary call 
of the function. Note that the assumption of termination of the application of the recursive function is es- 
sential: without it, we could prove diverging terms terminate. We also include a principle Pv_TermInv 
of computational inversion, which allows us to conclude Terminates t from Terminates '^^[t]. Inter- 
estingly, even without the inversion rule of t^'^^, the theorem we prove below would make heavy use of 
computational inversion. In a classical theory like W , this principle may well be derivable from the other 
axioms. Here, it does not seem to be. 

Computational translation of terms Figure |9] defines what we will refer to as the computational 
translation of T^'^-^ terms (the "C" is for computational). This translation, which is almost trivial, just 
maps logical terms join, terminates, and contra to 0. 

Translation of types Next, given T^^^ type T, we define [[r]]*- and [[r]]^. The "L" is for logical 
translation. This [[r]]'' is a sort A, and [[r]]^ is a predicate on translated terms. Recall that the syntax for 
such types and for the formulas F used in such predicates is defined in Figure |7] above. The definition 
of the interpretations is then given in Figure [TOl Note that one can confirm the well-foundedness of this 
definition by expanding the definition of [[r]]g, a convenient abbreviation, wherever it is used. 
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F eH 



-PV_ASSUME 



L;Hh F 

L-Hhyx:A.F Zhf.A 

h [t/x]F 

Z-HhF^F' L-HhF 
L;Hh F' 

h FAF' 



Pv_Alle 



-PvJmpe 



L;Hh F 



Pv_Ande1 



L;Hh True 



-Pv.Truei 



L;Hh t = t' 



-Pv.OpSem 



L;H\- Terminates 

Terminates Xx.t 

E;// h Terminates ^[f 
L;H\- Terminates t 



-Pv.TermO 



Pv_TermAbs 



-Pv_TermInv 



i:,x:A;H\-F x^f\H 
£;// h yx:A.F 

h F' 

-PVJMPI 



-Pv_Alli 



L;HhF L;HhF' 
I;// h FAF' 

h FAF' 



-Pv_Andi 



L;Hh F' 
h = Sucf 



Pv_Ande2 



PV-CONTRA 



L;Hh F 

L;Hht = t' L;Hh[t/x]F 
L;Hh [t'/x]F 

L; H \- Terminates t 
L;H\- Terminates Sue? 



PV.SUBST 



Pv.TermS 



£; // h Terminates rec/(;c) = t 
£ ; // h Terminates abort 



Pv.TermRec 



L;Hh F 



Pv_NotTermAbort 



I;// h [0/x]F I,x' : nat ;//, Terminates x' , [x' /x]F h [Sucx' /x]F 
L; H \- ^x : nat. Terminates x =^ F 

I,/ : A' -^A;H,\fx:A'.[fx/z]F h Vx:A'.[f/z]F I h rec/(x) = f : A' ^ A 



PV_lND 



h Vx : ^'Terminates (rec/(x) = O-^ ^ [{recf{x)=t)x/z.]F 



PvXOMPiND 



Figure 8: Theory W' 



[[Xx.tf 
[[Suctf 
[[terminates]]'- 
[[abort]] ^ 
case 1 1' t"¥ 



Ax. [[tf 
S Itf 


abort 

c hr \\t'¥ 



[[Of 
[[join]]^ 
[[contra]]*- 
[[rec/(x) = 







rec/(x).[[f]]C 



Figure 9: Computational translation of terms 
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[[natf = nat M]^ ? = True 

[[n'x:T.T'f = [[T]]^[[r]] in'x-.T.rft = yx:lTfmi^^meitx) 

[[t = t'f = nat [[h=t2ft = [[hf = [[t2]f 

[[Terminates t]f = nat [[Terminates t']]^ t = Terminates [[?'f 

m\ t = Terminates t A [[rf t 

[[rjf t = Terminates t =^ [[rf t 



Figure 10: Interpretation of types 



4.2 Examples 

Example 1. If we consider the type n^;ici : nat.n-'';iC2 : nat.nat, we will get the following. Note that the 
assumptions below that variables terminate reflect the call-by-value nature of the language. A translation 
for a call-by-name language would presumably not include such assumptions. 

nat — )• (nat nat) 

\/xi : nat. Terminates xi A True =^ Terminates (plus xi) A 
^X2 '. nat. Terminates X2 A True Terminates {plus x\ X2) 
A True 

Example 2 (higher-order, total). If we wanted to type a function iter which iterates a terminating 
function x\ , starting from X2, and does this iteration X3 times, we might use the type: 

n^;ci : Tl^x : nat.nat.n^A:2 : nat.n^;c3 : nat.nat. 

For this type (call it T for brevity), we will get the following translations: 

lT]f = (nat ^ nat) ^ (nat ^ (nat ^ nat)) 
[[rf iter = Vxi : nat — > nat. Terminates xi A 

(Vx : nat. Terminates x A True =^ Terminates (xi x) A True) =^ 

Terminates {iter x\) A 
Vx2 : nat. Terminates X2 ATrue ^ Terminates {iterxi X2) A 
Vx3 : nat. Terminates X3 ATrue =^ Terminates {iterx\ X2 X3) A True 

Notice that in this case, the logical interpretation [[r]]^ includes a hypothesis that the function x\ is 
terminating. This corresponds to the fact that xi has type IT^x: nat.nat in the original T'^'^^ type. 

Example 3 (higher-order, partial). If we wanted to type a different version of iter which, when given a 
general-recursive function x\ and a starting value X2, returns a general-recursive function taking input X3 
and iterating x\ X3 times starting from X2, we might use the type: 

n^xi : IT'x : nat.nat.n^X2 : nat.n'X3 : nat.nat. 



[[mxi : nat.n^X2 : nat.natf = 
[[n~''xi : nat.n^X2 : nat.natf plus = 
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[[•r = • [[-f = • 

[[r,x:T]f = [[r]],^:[[rf [[r,x:rf = irimi^ 

Figure 1 1 : Interpretation of contexts 

For this type (call it T), we will get the following logical translation: 

[[r]]^ iter = yxi : nat — > nat. Terminates xi A 

{Vx : nat. Terminates x A True =^ Terminates {xi x) =^ True) 

Terminates (iterxi) A 
\/x2 : nat. Terminates X2 A True Terminates {iterxi X2) A 
Vx3 : nat. Terminates xj A True =^ Terminates {iterx\ X2X3) => True 

4.3 Translation of contexts 

Figure [TT] gives a similar 2-part translation of typing contexts. The translation [[•]]'- produces a simple- 
typing context £, while the translation [[-J^ produces a logical context H, which asserts, for each variable 
X, that X terminates and has the property given by the [[-J]^ translation of its type. 

4.4 Translation of typing judgments 

We are now in a position to state the main theorems of this paper. The proofs are given in the companion 
technical report. Theorem |4] shows that the logical translation of types is sound: the property expressed 
by [[r]]g can indeed be proved to hold for the translation p]]'' of terms of type T. 

Theorem 3 (Soundness of Computational Translation) IfFhf.Td, then ^Tf h ^tf : [[T]f. 

Theorem 4 (Soundness of Logical Translation) IfFhf.Td, then [[F]]*^; [[F]]^ h [[r]]^ ^tf. 

5 Related Work 

Capretta's Partiality Monad Capretta Q gives an account of general recursion in terms of a coinduc- 
tive type constructor (•)^, and many T*^"^^ programs can be fairly mechanically translated into programs 
using {'Y by a translation similar to the the one described by Wadler and Thiemann [fT9l. However, 
one interesting difference is that T*^^^ functions can have a return type which depends on a potentially 
nonterminating argument. It is not clear how to represent this in a monadic framework. 

For example, if we imagine a version of T^^^ extended with option types, and suppose we are given 
a decision procedure for equality of nats and a partial function which computes the minimum zero of a 
function: 

eqDec : Yl^x : nat.IT^x' : nat. Maybe (x = x' ) 
minZero : IT'/: (n^x:nat.nat).nat 

Then we can easily compose these to make a function to test if two functions have the same least zero: 

Xf . Xf . eqDec ( minZerof ) ( minZerof ) 

: Yl^f : ( n^x : nat. nat ) .11 ■/' : ( Yl^x : nat.nat ) .Maybe ( minZerof = minZerof ) 
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However the naive translation of this into monadic form, 

X f .X f .{minZero f) »= {Xm.{minZero f) »= (Am'.return {eqDec m m'))), 

is not well typed, since the monadic bind »= : VA B.A^ — {A B^) does not have a way to 

propagate the type dependency. 

Other Another approach, not depending on coinductive types, is explored by Capretta and Bove, who 
define a special-purpose accessibility predicate for each general-recursive function, and then define the 
function by structural recursion on the proof of accessibility for the function's input 161. ATS and 
Guru both separate the domains of proofs and programs, and can thus allow general recursion without 
endangering logical soundness |[T71[8l. Systems like Cayenne lEl, Hmega (151. and CONCOQTION [131 
support dependent types and general recursion, but do not seek to identify a fragment of the term language 
which is sound as a proof system (although CONCOQTION uses COQ proofs for reasoning about type 
indices). 

6 Conclusion 

■jegj, combines equality types and general recursion, using an effect system to distinguish total from 
possibly partial terms. Termination casts ai^e used to change the type system's view of the termination 
behavior of a term. Like other casts, termination casts have no computational relevance and are erased 
in passing from the annotated to the implicit type system. We have given a logical semantics for T^'^-'- 
in terms of a multi-sorted first-order theory of general-recursive functions. Future work includes further 
meta-theory, including type soundness for T'^'^^ and further analysis of the proposed theory W'; as well 
as incorporation of other typing features, in particular polymorphism and large eliminations. An impor- 
tant further challenge is devising algorithms to reconstruct annotations in simple cases or for common 
programming idioms. 
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